Legal Insights

Key learnings from the OAIC’s recent determination on Kmart’s use of facial recognition

By
• 08 October 2025 • 8 min read

On 26 August 2025, the Australian Privacy Commissioner, Carly Kind, determined that Kmart had breached the Privacy Act 1988 (Privacy Act) by using facial recognition technology (FRT) to capture and analyse images of the faces of individuals entering several of its stores between June 2020 and July 2022 (the Kmart Decision). The Kmart Decision builds on and reinforces the Commissioner’s 2024 decision regarding Bunnings’ similar use of FRT in its stores (Bunnings Decision). 

How did Kmart use FRT? 

Kmart used FRT systems at 28 stores during the relevant period. 

Importantly, the face of every person entering a store or attending the returns service desk was captured by CCTV. The FRT system used the resulting images to match the customers’ biometric information with images stored in a database containing the details of customers who were considered ‘persons of interest’ (being individuals who had attempted, or were suspected of having attempted, to make fraudulent returns at a Kmart store). 

If a match occurred, the system alerted Kmart staff. The staff would then review the CCTV footage manually, and decide whether to continue with the refund. 

Kmart claimed that this process was intended to prevent refund fraud.

Was Kmart’s collection of sensitive information via FRT permitted?

This use of FRT constituted a collection and use of sensitive information for the purposes of the Privacy Act and Australian Privacy Principles (APPs), as the resulting images and maps of ‘facial vectors’ were biometric information. The key question was therefore whether the collection was compliant with Kmart’s obligations under APPs 1, 3 and 5.

Kmart did not contest that it had not obtained consent to the collection (which it ordinarily would have been required to do by APP 3.3). It instead sought to rely on the exception in APP 3.4, which allows for the collection of sensitive information without consent if a permitted general situation (PGS) under section 16A of the Privacy Act exists. Kmart argued that a PGS exception applied because: 

  • it had reason to suspect that unlawful activity or misconduct of a serious nature relating to Kmart’s functions or activities had been, was being, or may be engaged in; and
  • it reasonably believed that the collection, use or disclosure of personal and sensitive information through the use of FRT was necessary in order for Kmart to take appropriate action. 

The Commissioner was satisfied that Kmart had established the first element, but found that Kmart had failed to satisfy the second element. 

While the Commissioner accepted that it was appropriate for Kmart to take action to detect and prevent refund fraud, she considered that FRT was merely one tool by which Kmart could have implement appropriate action in relation to the unlawful activity. Importantly, it was also necessary to consider the suitability of the use of FRT, having particular regard to: 

  • what, if any, alternatives were available to Kmart; and
  • whether the collection was proportionate, balancing the benefits of using FRT against the broader privacy impacts. 

In summary, the Commissioner found that less intrusive alternatives were available and that the use of FRT was disproportionate to the accompanying interference with privacy of the thousands of individuals who entered one of the stores during the relevant period. 

This is similar to the conclusion that the Commissioner reached in the Bunnings Decision, where Bunnings’ arguments that a PGS exception justified the collection of sensitive information without consent was rejected.

Given that Kmart had failed to obtain consent, and that the PGS exception did not apply, the Commissioner found that Kmart had breached APP 3.3.

Was proper notification given to customers?

In most circumstances, APP 5.1 requires individuals to be notified about the collection of their personal information, including sensitive information. The notice generally needs to contain the information specified in APP 5.2. 

While Kmart provided some general notice of its collection (through a notice at the entry to its stores, posters within the stores, and its privacy policies) The Commissioner found that Kmart should have taken additional steps to notify individuals about its use of FRT. 

In coming to this view, the Commissioner found that the notices provided by Kmart were not sufficient because they should have contained more detailed information about the FRT system in line with APP 5.2, and were not uniformly deployed in all stores.

Given that Kmart had failed to adequately notify individuals of the collection of their personal information, the Commissioner found that it had breached APP 5.2. The Commissioner also found that the inadequacy of the privacy policies themselves regarding FRT resulted in Kmart also having breached APP 1.3, as it did not have a clearly expressed and up-to-date APP privacy policy containing the information required by APP 1.4.

The Commissioner did not impose a financial penalty, but did, among other things, order Kmart to make an apology and to destroy all personal information it still held that was obtained or generated through its use of FRT. 

Similar orders were made in the Bunnings Decision, which is currently under review by the Administrative Review Tribunal.

What can organisations learn from this case? 

Both the Kmart and Bunnings Decisions provide a clear framework for analysing compliance risks associated with the implementation of FRT. Key takeaways include: 

  • That the unlawful conduct in those cases lies not with the use of FRT itself, but in compliance with proper notification and consent requirements.
  • The use of FRT must be necessary and proportionate. In each of the Bunnings Decision and the Kmart Decision this was not the case, as less intrusive methods were available.
  • It is essential to carefully consider compliance under the Privacy Act, as well as privacy impacts and best practice, before implementing or continuing use of any FRT technology.
  • Private sector organisations that are considering using FRT, especially in a commercial or retail setting, should consider and apply the OAIC’s guidance on the relevant privacy risks.
  • Undertaking a comprehensive privacy impact assessment (PIA) process is critical. This will allow organisations to determine:
    • the expectations of privacy that apply in the places in which the FRT will be deployed (e.g. are they public places, or ones in which an essential service is provided; can individuals access alternative places without the FRT technology?);
    • what, and how, individuals must be told about the use FRT;
    • whether a meaningful and valid consent process will be implemented, or an exception in APP 3 will apply; and
    • if alternative and less intrusive means might be deployed to achieve the same purpose (e.g. is the FRT technology merely convenient, or is its use reasonably necessary to address the issue?)

These are, of course, a non-exhaustive list of issues, and ones that are likely to have evolving answers as our expectations of privacy change and FRT evolves at pace. 

The Commissioner has emphasised that her decisions do not constitute a ban on FRT – in a blog on 18 September 2025, she stated ‘It may be tempting to suggest that my successive determinations amount to an effective ban on the use of this technology. However, that is incorrect; the Privacy Act is technology-neutral.’ 

FRT is part of the technological future we are all facing (pun intended). 

It is already being deployed by many entities across Australia, including in airports and other high security risk areas. It is also being actively considered by governments for use in other settings (e.g. the NSW Government is currently considering consultation comments on a Code of Practice it has developed for the use of FRT in hotels and clubs). 

We're here to help

Please reach out to one of our Maddocks privacy and data experts if you are using, or considering implementing, FRT to ensure you can reach the high bar that is currently being set for privacy compliance.

Ooma Khurana

Ooma advises public and private sector clients in information technology, consumer markets and telecommunications sectors, particularly in relation to regulatory compliance and technology.

View profile

Katherine Armytage

Katherine has a highly regarded and dynamic practice in information law, with a particular focus on privacy and data protection.

View profile

Indi Prickett

Indi provides high‑quality privacy, FOI, probity and procurement advice to Australian Government clients, including PIAs for complex ICT systems and Privacy Act guidance.

View profile
By

Online Access